HIPAA, HITECH and Beyond

Covered entities which experienced a HIPAA breach in calendar year 2015 are required to report all such breaches affecting fewer than 500 individuals to OCR by Monday, February 29, 2016. The reports must be submitted via OCR’s online portal, available here. This yearly reporting obligation is in addition to the requirement to report large breaches — those affecting 500 or more individuals — within 60 days of discovering the breach.

This is also an appropriate time to review and update breach notification policies and procedures to make sure that covered entities have in place the appropriate mechanisms to notify OCR timely and appropriately.

Last week, we authored a client alert highlighting affiliations between CVS and a number of health care systems throughout the country which, according to CVS, will enable it to provide prescription and MinuteClinic visit information to participating health care providers by enabling communication between secured electronic health record (EHR) systems. CVS/pharmacy will share electronic messages and alerts with affiliates’ physicians regarding patient medication non-adherence, and MinuteClinic will electronically share patient visit summaries with the patient’s primary care physician (with patient consent).

For a more detailed discussion of how various industry segment providers are moving towards clinical integration with the help of EHRs, please see our alert.

Lincare, Inc. d/b/a United Medical (Lincare) was found to have violated HIPAA when the estranged husband of one of its managers complained to OCR that his wife improperly permitted him access to the records of 278 Lincare patients. After an OCR investigation and proposed determination, an HHS administrative law judge (ALJ) upheld the CMP of $239,800, finding that Lincare did not implement policies and procedures to safeguard records containing its patients’ PHI, and failed to protect against a disclosure of the PHI to unauthorized persons.

This post discusses where Lincare went wrong, and what providers can do to avoid a similar fate.

The Federal Trade Commission (“FTC”) recently announced a settlement with Henry Schein Practice Solutions, Inc., a dental practice software provider, concluding an investigation into claims that Henry Schein misled customers about the encryption capabilities of its software.

According to the FTC, Henry Schein advertised its Dentrix G5 software as meeting industry encryption standards despite the fact the company was aware that the software used a proprietary data masking technique that fell short of the NIST encryption standard. The patient data within the Dentrix G5 system was not encrypted, but rather camouflaged. Henry Schein marketed Dentrix G5 to providers as meeting HIPAA requirements when it did not, and also failed to notify providers of the misleading claims after it became aware of the software’s deficiencies.

In the complaint, the FTC determined that Henry Schein’s claims of encryption would be material to providers assessing whether to notify affected individuals in the event of a suspected HIPAA breach since a breach of encrypted PHI does not require notification under HIPAA’s Breach Notification Rule. This enforcement should serve as a reminder to providers to verify whether their (or their vendors’) encryption technology is sufficient to take advantage of the HIPAA breach notification encryption safe harbor. Rigorous due diligence prior to engaging a vendor and robust contractual representations concerning encryption technology are two ways providers can protect themselves in this regard.

The complaint, proposed consent order, and FTC press release may be accessed here.

OCR reached settlements with two academic medical centers, the Lahey Hospital and Medical Center and University of Washington Medicine (UWM), and one insurance holding company, Triple-S Management Company. Each entity will be subject to a corrective action plan and civil monetary penalties that range from $750,000 to $3.5 million. Continue Reading

Many thanks once again to our colleague, Robin Canowitz, for authoring this post.

In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients. New York Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report in September of 2010, indicating that the disclosure of ePHI of 6,800 individuals included patient status, vital signs, medications and laboratory results. The organizations are separate entities for HIPAA purposes, but operated a shared data network which was administered by employees of both entities.

According to the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), the breach was caused when a physician employed by both entities attempted to deactivate a personally owned computer server on a network containing ePHI from NYP. Due to a lack of technical safeguards, the deactivation of the server resulted in ePHI being accessible on internet search engines. OCR noted that its investigation also revealed that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and contained appropriate protections. Further, OCR determined that neither entity had conducted an accurate and thorough risk analysis of their systems which accessed ePHI.

NYP agreed to pay a monetary settlement of $3.3 million, while CU agreed to pay $1.5 million. Both entities have also agreed to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.

In April 2014, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) continued to emphasize the importance of encryption in maintaining the confidentiality and security of protected health information (“PHI”), especially in addressing and mitigating the significant risk to PHI posed by unencrypted laptops and other mobile devices.

On April 22, 2014, OCR announced that it had resolved potential HIPAA violations arising out of the theft of unencrypted laptops with two different covered entities, Concentra Health Services (“Concentra”) and QCA Health Plan, Inc. of Arkansas (“QCA”). The collective settlement with both covered entities totaled $1,975,220.00.

Concentra agreed to pay OCR $1,725,220 to settle potential HIPAA violations, and will adopt a corrective action plan to evidence the remediation of OCR’s findings. OCR’s investigation of Concentra began following its receipt of a breach report that an unencrypted laptop was stolen from its Springfield, Missouri facility. OCR’s investigation revealed that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing ePHI was a critical risk. OCR found that while Concentra took steps to begin encryption, its efforts were incomplete and inconsistent which left patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard PHI.

Similarly, OCR received a breach notice in February 2012 from QCA reporting that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay a $250,000 monetary settlement, and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to re-train its workforce and document its ongoing compliance efforts.

Susan McAndrew, OCR’s deputy director of health information privacy, stated that “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.”

The Resolution Agreements can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html.

Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post.

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), recently released a security risk asessment tool (SRA Tool) to assist entities in complying with the HIPAA Security Rule.

As we have discussed previously (most recently here and here), the Security Rule requires entities (both covered entities and business associates) to conduct a risk assessment of their administrative, physical, and technical safeguards on a regular basis. To facilitate this risk assessment, the SRA Tool walks the user through each HIPAA requirement by presenting 156 questions targeted at the entity’s security practices. An affirmative or negative answer will prompt a response from the SRA Tool indicating whether the entity needs to take corrective action for that particular item. The SRA Tool contains resources to help the entity assess the potential impact to its PHI if a requirement is not met.

The tool was developed as a self-contained, operating system independent application that can be run on various environments, such as laptops, desktops and tablets. Although users may document responses and risk remediation plans directly into the SRA Tool, the SRA Tool does not transmit the data outside of the tool’s environment. Paper copies of the SRA Tool are also available. Entities can learn more about the SRA Tool by watching a video of how it operates.

Entities should note that the SRA Tool does not do away with or otherwise limit any HIPAA compliance obligation, and HHS does not guarantee that use of the tool will ensure compliance with the law. HHS’ intent in releasing this tool is to provide an additional resource to help entities assess the security practices of their organizations. Therefore, entities should view the SRA Tool as an another arrow in its HIPAA compliance quiver that can be used in identifying and correcting organizational security risks. Depending on the complexity of the risk, legal counsel should be consulted, as the penalties for non-compliance are significant.

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has announced that it is gearing up for its second round of HIPAA compliance audits later this year. The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act and is intended to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. While this next round of audits will be narrower in scope than OCR’s 2012 pilot audit program, OCR will include business associates as well as covered entities.

In a February 24, 2014 Notice in the Federal Register (“Notice”) [1], OCR announced that it will soon launch a survey of 1,200 organizations – 800 covered entities and 400 business associates — as a first step toward selecting those organizations to be audited. In a presentation that same day at the 2014HIMSS Annual Conference, Susan McAndrew, OCR Deputy Director, explained that the survey will seek to verify if the entity, which has been chosen from a large OCR database, is a suitable candidate for a HIPAA audit by asking questions, such as “Is the organization still in business?” and “Is the organization the healthcare entity indicated by the database?”

OCR stated that the survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” Among other things, OCR intends to collect “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”[2] Not all organizations that are surveyed will be audited.

OCR’s 2012 HIPAA pilot audit program uncovered a wide variety of HIPAA compliance failures, including Privacy Rule failures (such as a lack of NPPs, use and disclosure violations, and minimum necessary violations), Security Rule failures (such as incomplete risk analyses, improper media disposal, and inadequate access controls), and administrative failures (such as lack of training and failure to update policies and procedures).[3] In fact, OCR’s analysis of the 2012 pilot audit data revealed that two-thirds of the entities audited did not have a complete and accurate risk assessment.

Thus, one of the primary areas of focus in the 2014 audits likely will be whether covered entities and business associates alike have conducted timely and thorough security risk assessments as required by HIPAA. Indeed, on September 23, 2013, OCR Director Leon Rodriguez reported at the HIMSS Privacy and Security Forum in Boston that the covered entities audited in the pilot program often had conducted a “shallow risk analysis” that was not properly updated as circumstances changed, such as the when the entities developed new business strategies or implemented new information systems. Director Rodriguez observed, “With any business change, an entity must review its risk analysis; yet, two-thirds of pilot participants – including 80 percent of providers – did not have a complete and accurate risk analysis.”

Another issue which is expected to be a focus of the 2014 audit program is the use of data encryption and an organization’s underlying risk analysis in deciding whether to encrypt or not encrypt. Under the Security Rule, encryption is an “addressable” requirement. Therefore, an organization which fails to encrypt must, through documentation, justify its decision and then select and implement a reasonable alternative. At the May 2013 OCR/NIST 6th Annual Conference on Safeguarding Health Information, Director Rodriguez reported that OCR’s pilot audit program revealed that encryption was not always implemented (or even considered) by organizations. He observed that organizations either implemented encryption or did nothing at all in justifying and documenting reasonable alternatives. Thus, Director Rodriguez stressed the importance of conducting a risk analysis related to encryption implementation in which an organization must weigh the pros and cons of encryption in making the final decision to encrypt or not to encrypt.

Finally, OCR also has stated that it is revising its audit protocol for the HIPAA Audit Program to reflect the changes included in the HIPAA Omnibus Rule that became effective on September 23, 2013.

The Guidance also advises that the disclosure of mental health information, like all PHI, must comply with both HIPAA and all other federal, state, and local laws that regulate such disclosures (e.g., 42 C.F.R Part 2 Substance Abuse Program and the Family Educational Rights and Privacy Act rules).

Communications With Family and Friends

Under 45 C.F.R. § 164.510(b), health care providers may communicate with a patient’s family members and friends when the patient does not object and the disclosures are directly relevant to that person’s involvement in the patient’s care or payment for care. A provider may have permission to disclose PHI (or permission may be inferred) when a family member or friend is present in the treatment room at the patient’s invitation. HHS confirms that if a patient is incapacitated, a provider may share information with family and friends when that provider determines, based upon professional judgment, that the disclosure is in the patient’s best interest. The Guidance provides clear examples permitting disclosure when the patient does not object:

A psychiatrist may discuss the drugs a patient needs to take with the patient’s sister who is present with the patient at a mental health care appointment.

A therapist may give information to a patient’s spouse about warning signs that may signal a developing emergency.

The Guidance examines 45 C.F.R. § 164.510(b)(3), which permits a provider to disclose mental health information to friends or family when a patient is not present or is unable to agree or object due to incapacity or emergency circumstances and the provider believes it is in the patient’s best interests. Again, the disclosure must be directly relevant to the person’s involvement in the patient’s care or payment for care. In making these determinations, the provider should consider a patient’s prior expressed preferences and offer the patient who regains capacity the chance to agree or object to future disclosures.

The Guidance emphasizes that providers must abide by the wishes of their adult mental health patients who object to disclosures to friends and family. Nevertheless, HHS reiterates that HIPAA permits providers to warn family members or law enforcement if the provider perceives a serious and imminent threat to the health or safety of the patient or others and the disclosure may reasonably prevent or lessen the risk of harm.

State laws also may impose an affirmative “duty to warn” on mental health professionals when a patient poses an imminent threat. Providers regulated under Part 2 may have additional duties.

Psychotherapy Notes

The Guidance emphasizes that HIPAA provides extra protection to psychotherapy notes maintained separately since the therapist’s personal notes are not required for treatment, payment or healthcare operations. With few exceptions, providers must obtain a separate authorization to disclose psychotherapy notes.

Minor Mental Health Records

HHS also discusses 45 C.F.R. § 164.502(g), which contains several exceptions to the general rule that a provider may disclose PHI to a parent or guardian as the personal representative of a minor child:

A parent is not treated as a minor’s personal representative when: (1) State or other law does not require the consent of a parent before a minor can obtain a particular health care service, the minor consents to the service, and the minor has not requested the parent be the personal representative; (2) someone besides the parent is authorized by law to consent to the service and provides such consent; or (3) a parent agrees to a confidential relationship between the minor and provider with respect to the service.

The Guidance also states that parents do not have a right to a minor’s psychotherapy notes, although providers have discretion under HIPAA to disclose an individual’s PHI (including psychotherapy notes) to the individual’s personal representative. HHS advises providers to consult State or local law for any restrictions on such disclosures.